Slashdot Mirror
Chase and MasterCard Jump Into Mobile Payments (itworld.com)
itwbennett writes: JP Morgan Chase said Monday that it plans to launch its own smartphone payment platform in mid-2016. 'Chase Pay will be based on CurrentC, a retailer-led mobile payment system that has largely been written off by Silicon Valley techies for its reliance on barcodes rather than the more sophisticated NFC (near-field communications) technology adopted by its competitors,' writes Martyn Williams. CurrentC, and therefore Chase Pay, is compatible with a much larger number of smartphones than the rival services from Apple, Google and Samsung.
Meanwhile, MasterCard announced a program that aims to turn any type of gadget into a payment device, from car keys to fitness trackers.
Yes, the phone in your pocket is also a computer. No, it is not as secure as your desktop or laptop.
Never trade security for convenience.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Why would anyone want to pay with a phone? How is it any more convenient than paying by card or cash?
Not to mention the enormous invasion of privacy which gives them all the info about your finances.
Well, if you are using the app directly from the credit card company / bank, I imagine the privacy factor is about the same whether using a card or a phone. I'd much rather carry my phone around and leave my credit cards at home. It's easier for me to keep track of my phone and I notice if it is missing much faster than if a card (or wallet) is missing.
Hopefully the apps from the bank work with rooted phones. I haven't had a chance to use this tech yet (even though I have a Note 5) since I rooted my phone - which stops Samsung and Android Pay from working.
You must not have shopped in a retail store lately, or you would have noticed that every cashier is quite familiar with barcode readers, and in busy stores, they are used thousands of times a day.
Hopefully the apps from the bank work with rooted phones. I haven't had a chance to use this tech yet (even though I have a Note 5) since I rooted my phone - which stops Samsung and Android Pay from working.
This is not entirely true. To add a credit card to Android Pay it was necessary to unroot my phone. Once the card was added, I re-rooted my phone. Android Pay still works.
With NFC, you can approve the transaction without removing your phone from wherever it's currently stored (pocket, purse, etc.). That's the advantage.
"Remind me again why NFC is "better" than bar codes?"
Because it's shorter working range, ability to transfer more information and quicker, also eliminates differences introduced by different brightness/display sizes of phones.
"You can't remotely intercept a bar code very well or easily"
Interception device is called a camera.
"You can verify what you present to the register."
Majority of people doesn't decode barcodes quickly enough.
"You're phone can't be tricked, remotely, into thinking its paying for something while you sit on the bus next to the guy with the laptop."
It can't be tricked in either way. a) Android phones only enable NFC chips when screen is active b) Asking for a simple confirmation on-screen with details of transactions is just as simple.
"The imaging device needed to read them are cheaper than NFC transceivers."]
Sure, optical scanner is way cheaper than a 3-dollar chip.
It will be so nice standing in a busy supermarket about to pay only to realize you forgot to charge your phone, won't it?
-=This sig has nothing to do with my comment. Move along now=-
Ah. So not looking to make any big purchases, then?
It will be so nice standing in a busy supermarket about to pay only to realize you forgot to charge your phone, won't it?
Or forgot your wallet? That happens to me more often than not having a charged phone. Granted, everyone's mileage will vary with this as with anything else.
"Why would anyone want to pay with a phone?"
Whenever you hand your credit card to a clerk, there is a possibility that it could be scammed. Your card information could go into the retailer's database, which can eventually be hacked, compromising millions of people at once.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
Most banking apps seem to work on rooted devices, but Lloyds bank's does not. It tells you to use their web site via your mobile browser instead. That's why I left Lloyds bank.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
EMV provides a similar one-time code. No phone required.
It's the switch from the you-can't-both-get-in-the-middle-of-the-signals,-and-guess-a-number dept. to the trust-me-I'm-a-doctor dept.
While this is true, the problem is that it's still often normal to hand your card to a clerk rather than inserting it for a chip transaction. Even where that's not the case, it wouldn't take much for someone to use cameras to gather the information necessary to use EMV cards fraudulently online.
B) Eliminate all the stupid users. This is frowned upon by society.
Good points. I'd add these:
B) Eliminate all the stupid users. This is frowned upon by society.
In my case, and probably the case of a lot of other people, my driver's license is IN my wallet. I never leave home without it.
-=This sig has nothing to do with my comment. Move along now=-
When I looked into it, the advantages to something like Apple Pay (but not any of these CurrentC-based initiatives) seemed pretty evident:
1) It's significantly more secure than carrying a card in the US. For instance, Apple Pay generates single-use tokens that take the place of credit card numbers. Had consumers been using it when the Home Depot and Target hacks happened last year against the point of sale systems, the hackers would have just gotten a list of consumed tokens that were utterly useless. Likewise, were my phone/card stolen, I'm less likely to notice a missing card than a missing phone, but both of them can be deactivated remotely. On the plus side for the iPhone*, even if I don't deactivate it, it'll fully lock itself and require my lengthy password after 48 hours, meaning that any would-be thieves would have a very narrow window during which to use Apple Pay, and it would be complicated by the fact that they'd have to first reproduce my fingerprints. That alone negates a lot of common thievery. And if we're getting into the sort of state-sponsored thievery that would be good enough to crack into the hardware encrypted Secure Enclave in an iPhone where the credit card info is stored, then Apple Pay is, frankly, the least of my worries.
2) It's more convenient. No more pulling cards out of my wallet, then having to put them back in the right place. No having to navigate to and through apps. No having to manually generate QR code sand the like. No having to count out cash. Less things to carry. I'd love to eliminate the cards I carry from my EDC. I already have my health and car insurance "cards" on my phone. Some US states are permitting digital driver's licenses. And I stopped carrying cash on a regular basis years ago for a variety of reasons. My credit cards are one of the bulkiest things I still carry.
3) It's more private than credit cards. Again, speaking of Apple Pay and the like as opposed to CurrentC-based programs, they're specifically designed to protect your privacy against intrusion by the retailers. Credit card numbers can be captured by retailers and are routinely compiled into large databases that track you and your purchases across all of their chains and subsidiaries, both in-store and online. In contrast, the one-use tokens that Apple Pay uses aren't linked back to your identity or any of your identifying information in any way (though I think I heard that they were about to allow users to opt-in to providing info to specific retailers in exchange for discounts/rewards/customer loyalty type stuff), and because they're single-use, they can't be tracked from one purchase to the next. It strips retailers of their ability to track you via your payment method, though, obviously, cash shares that same advantage.
In contrast, CurrentC-based systems like Chase's are designed by retailers (headed by Wal-Mart) for retailers, since it tracks your location both inside and outside of the stores, requests access to as much information as it can get on your phone (including any health information you store on the phone), and provides identifying information in its QR codes so retailers can easily recognize you.
All of which is to say, paying by phone has some major advantages, but, as with many topics we discuss here on /., the devil is in the details.
* Hypothetically speaking, since I don't actually have an iPhone with Apple Pay.
So far everywhere I've used the chip in my new EMV card, I first handed it to the cashier and they tried to swipe, and it denied it saying I had to use the chip, which every single time has been facing downward and towards me, somewhat out of view of anybody (or anything) besides myself.
Everywhere I've done this, this has been the case at any rate, which includes every walmart, every restaurant, etc. I don't know if that's the standard, but it wouldn't surprise me if the terms of the merchant agreement required it.
Besides, I really *really* doubt somebody would bother with using a camera. The odds of you getting all of the relevant info (which includes the CVV number on the back) is unlikely, and would probably take more time and money to set up than it's worth. Especially when you consider that the only cases where they do an actual investigation on credit card fraud, they look for a bunch of customers that have happened to shop at the same place, and then begin investigating that establishment.
Even if they did get your credit card information, what will it cost you? Oh that's right, the inconvenience of being without your credit card for a week while they send you a new one, because your bank (like most banks) offers zero fraud liability (unless you have truly shitty credit.)
In my case....my driver's license is IN my wallet.
Mine too. I'm just amazingly unorganized.... I don't know why I don't just leave it in my car.
Forgot to mention that CurrenC does ACH transactions (free for the retailer) to access your money directly. This means that like your debit card, if the CurrenC phone or payment processor (terminal or backend) is compromised, any money lost is unrecoverable.
It will be so nice standing in a busy supermarket about to pay only to realize you forgot to charge your phone, won't it?
Or forgot your wallet? That happens to me more often than not having a charged phone. Granted, everyone's mileage will vary with this as with anything else.
Forgot your wallet? How did you get wherever you were going without your wallet? Hopefully you didn't drive, because that would be illegal. I have literally NEVER forgotten my wallet. I used to forget my phone maybe once a year back when carrying a phone first became a thing. Now I never forget my phone. I have had my phone go dead on me though. Either the battery ran out or there was no service. I have never had that happen with my wallet or my credit cards.
If you are not allowed to question your government then the government has answered your question.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
That seems like it would only be possible if your phone is able to communicate with the card carrier, which it is not always able to do.
If you are not allowed to question your government then the government has answered your question.
Yup, I forgot about that one, since it's been awhile since I last looked into CurrentC. That's definitely one of the worse things about it, but the whole thing is really just a bad system from the consumer side of things. It places complete trust in retailers (who have shown they're not trustworthy), gives them more access to your data (e.g. health, birthdate, photos), enables them to track you more easily (e.g. location tracking, tracking purchases across multiple cards you have in the app, tracking you between all MCX partner stores), opens you up to new forms of attack (e.g. draining your account, as you mentioned), and, frankly, when I've seen the process demonstrated, it strikes me as being on par with or less convenient than a credit card at checkout.
Given the substantial security and privacy concerns, the lack of additional convenience, and the massive, unwarranted escalation of privileges, I see absolutely no reason to ever consider CurrentC for personal use. If anything, I'm more inclined to view it as a form of adware (given that it can creepily deliver ads to you as you walk around the store based on where you are in the store and your past purchase history) than a viable tool.
The Mastercard CC 'online banking' website where you can check your withdrawals etc. is a pile of shit:
- lousy security (password A-Za-z0-9 only and with a maximum of 10 characters)
- the information reported on each purchase is often useless, with an entirely different company listed than the place you actually purchased from, with limited-length fields chopping off half the name etc.
- unnecessary jumping-through-hoops to download monthly statements (and no, you shouldn't name them all "download.pdf")
- no way to download a list of transactions in a format importable in a finance app or spreadsheet
- no way to get an alert for withdrawals
More purchases via CC = more need for monitoring, but as it stands it's a website I avoid as much as possible.
So far Android and Samsung Pay are big flops. Android Pay supports almost no cards at all. Samsung Pay works on only a few of their most recent and expensive devices. Hopefully some company like Intuit will come along and kick their butts. I also don't understand something about this technology: How can it be that any cards do not work with it? If the technology were designed right, than all cards would simply have to work with it in lieu of their being actual cards. What's this BS with Chase not working with them because now they want to have their own pay app? This is what would have happened if the early pioneers who laid the foundations of the Internet which we use today had been greedy losers like all the people in the tech industry today. There would be no universal standard or protocal which everyone would use. Instead a bunch of different greedy losers all trying to capitalize off their niche and no standard. We would not have had e-mail, for example, but rather Apple e-mail, Chase e-mail, Samsung e-mail.
I just can not believe you forgot vibrator...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
The main problem with CurrentC is not the QR-codes, though that is kind of ridiculous and old-timey. The main problem is the direct line into your banking account with no credit card intermediary; which strips you of much fraud protections you enjoy with ApplePay, or even just by swiping plastic. That means instead of being on the hook for no more than $50 in the event of fraud (And many cards waive this these days.), your bank account can simply be emptied. Good luck getting that money back. And even if you succeed, it's still gone for the duration, when you may have needed it for other purchases and bills.
CurrentC needs to die. And the retailers trying to push it need to be made to suffer.
Imagine all the people...
Mobile payment is a solution in search of a problem.
No it doesn't need a live connection with the card carrier, except when tou set up each card in the phone's payment app. It snaps a picture of the front-side number and expiration, and encodes that in its onboad tokenization chip. At transaction time, the tokenization chip computes the one-time code that gets sent to the retailer's NFC reader.
1. Security of credit cards is a non-issue for consumers. You are insured against losses over $50 and most banks will cover the entire loss.
Nonsense. That argument only addresses a single one of the issues people deal with when a card is lost or stolen.
For instance, I lost my credit card last year (misplaced it, called it in as lost, later found it), and I was finding all sorts of new headaches for at least two months afterwards, even though it wasn't even stolen (e.g. I discovered that my ISP's autopay locks in its payment method a week before the bill goes out, so even though I had updated my autopay settings to reflect the new card, my old card got charged, resulting in a returned payment fee and a late payment fee from my ISP). My parents had someone skim their card, and they ended up dealing with weird items showing up on their credit reports for years afterwards that were apparently all linked back to the original theft.
Protecting your money is certainly the most important aspect of security, but it's by no means the only thing that you have to protect. Speaking from experience, you'll likely lose a lot of hours that could have been put to better use otherwise.
2. Pulling a credit card out of my wallet is much easier than getting my phone, typing in the unlock password and then launching the app.
Yes and no. CurrentC works as you describe, and that's why I said that it's no more convenient than a card in my last comment. Apple Pay, on the other hand, does not work the way you describe, since it doesn't require a password and doesn't require you to launch an appThat's it.
If I drop the credit card, no big deal. If I drop my phone it's a problem.
That's already the case since our phones are increasingly important to our daily lives. This doesn't change any of that. If you're prone to dropping your phone, then you're quite right that ditching your cards may not be a good idea.
Also, it's easier to give someone else (friend/family) your credit card to use for a purchase than your phone.
None of these phone-based payment systems preclude you from loaning a family member your card, since it's not like it disappears when you add it to your phone. You can still loan it to them just fine, and if you're in the habit of regularly loaning out your credit card, it definitely would make sense for you to keep it around for that purpose.
Just because there are a handful of unusual use cases that credit cards handle better does not mean that they're more convenient in general. It just makes them more convenient for those edge cases. If you're someone who regularly deals with those edge cases, then a phone-based payment method is likely not for you, and that's fine. For someone like me or most other people though? I'm looking forward to using them whenever I get around to upgrading to a phone that supports them.
3. Why do I care about retailers tracking my purchases from them?
As I mentioned in another reply, MCX is the industry group behind CurrentC, which is what Chase Pay is built on. MCX partner companies have the ability to share data between each other. Maybe I'm old fashioned, but I don't want Best Buy and Walmart sharing data with CVS, my pharmacy, but because all three of them are MCX partners, that possibility exists.
But even within a single retailer, I'm opposed to them tracking me at all, simply because it represents an invasion of my privacy. They can sell my purchase history to third parties without my consent, can be bought out by mega-corporations that leverage that information across dozens of other subsidiaries, or can simply use it in unsavory ways. Whether it's condoms, hemorrhoid medication, or a dozen pints of ice cream, we all make purchases that we'd rather not have out there for the world to see.
You may have no problem with the current state of things, but many of us do. Don't drag the rest of us down just because you don't care.